BUG? Embed video from any source in forums

While playing around with html purifier filters, I noticed that I can embed videos from any site I want to.  Forum posts don't seem to use html purifier.  Can someone at Boonex enlighten me here?  What's keeping forum posts safe, if not htmlpurifier? I don't know if this is a bug, or if forum post are processed differently.

Could someone please confirm this issue by posting this embed code in their D7 Site forum?

<object type="application/x-shockwave-flash" height=" 245" width=" 425" data="http://xml.truveo.com/eb/i/2723394623/a/25cfaccbc32c3d1a3fce2890b9f4765c/p/1/h/4b56dda02ad8c64:9a8b0ee8b7352f45c5e0a0d060ba07fd">
<param name="src" value="http://xml.truveo.com/eb/i/2723394623/a/25cfaccbc32c3d1a3fce2890b9f4765c/p/1/h/4b56dda02ad8c64:9a8b0ee8b7352f45c5e0a0d060ba07fd" />
<param name="allowfullscreen" value="true" />
</object>

I did a test, and the <script> and <iframe> tags are definitely being stripped, but the <object> tag is not.  Not sure this is a good idea, if this is by design.

Can somebody please verify that videos from any site can be posted in their D7 forums?  Pretty please with sugar on top?????  I have been under the impression that ALL content posted via TinyMCE, but that doesn't seem to be the case.

I can't test it because, once again, Orca is throwing a fit and refusing to post anything written.

Please let me know if there's anything else you can't help me with.

works here

orca is almost  as good as ipb heeheh :)

I'll have my secretary write you up a note sheet. Forum posting also started to work again, so I was able to test some embeddings and Vimeo embeds work, it seems.

I'm curious as to why Boonex did not use htmlpurifier to filter forum posts.  It looks as though your members can have a lot of fun with the <embed> <object> <param> tags.

I don't think I like the idea of members being able to embed a flash file from just about anywhere.  Yikes!

Actually, YouTube embedding is suppose to be supported, so you're exploiting a feature, not a supposed bug. Also, bad choice of video.

Edit: Theguypc failed and then covered it up by deleting his post. Making me look like a crazy person, shame on you.

Levitation Card -Outside Around the Body - Amazing videos are here

Always a critic around. I'm not sure why anyone would have a problem with a workout video, but I removed it to spare you - since you did.

This isn't YouTube, it's from MetaCafe. Although you probably have a problem with this content too - the content of the videos isn't, and wasn't the point.

Much better, web site and video-wise. But, Unity isn't powered by Dolphin, so you're wasting your time here.

Hmmm.... seems someone has a problem with me posting anything tonight.

While it is quite possible that this site isn't running on Dolphin - I'm going by what has been posted several times by unoboonex.

Here is one reference.....

http://www.boonex.com/unity/blog/entry/BoonEx_com_and_Hookie

If I am wrong, I stand corrected. I'm just going by what the owners & management have said. Maybe you are privy to information I don't know about, or maybe you're just trying to pick a fight. I don't know, and frankly I don't care.

The issue exists here & it was said that this site would be running on Dolphin. That is why I posted. If you don't like my replies, that deal with the very issue the initial post was about, move along and ignore my posts.

Have a great day!

Oh, I have no problem with you, nor am I attempting to start any sort of argument with yourself. As for that blog post, I would imagine if the BoonEx web site was powered by Dolphin 7.0, the feature list and the whole web site itself would appear differently. All they did when they re-launched was change the look and alter the existing features, along with adding the payed membership options.

You can indeed post such content here, but you must remember that this site may-or-may-not also be using HTMLPurifier like Dolphin 7.0.

Does anybody here have a clue what I'm talking about in this thread, or understand the possible consequences?

The inclusion of malicious code among the cute video of a panda sneezing, powered by Vimeo?

Exactly, although Vimeo is probably safe, and the sneezing panda can easily be an advert for a porn site instead.  You'd be surprised what you can do within an swf file.... just Google "malicious swf".  I'm just wondering why Boonex chose to use a different method of cleaning the content that is posted in forums, when they use HTMLpurifier for everything else.  I'm sure they had a reason... I'd just like to know what it is.  Maybe they just thought it was just fine the way it was.  On  my own site, I would like to have control over the domains from which content is allowed to be embedded in forums.  As it is now, I do not have that control.

My guess is that they either forgot to include the same filtering methods for Orca, or the script didn't like it, so they said "screw it" and packaged it as-is. Of course, that's just a guess. As for the level of control, I blogged about that after going into mental breakdown mode, caused by going two days straight of working non-stop with Dolphin. There's allot more things than filtering control that needs to be added in that department.

Probably the same reason the forum uses a different system to accomplish everything else, it's not really integrated into Dolphin that well.  If you want a template change you have to make special changes to the forum template.  I'm guessing the lack of the purifier is due to this poor integration and something simply overlooked.

Yup and Yup.

It would or might be a disaster. Like myspace.

I'll have to poke around later. Right now i am getting my sites setup on a dedicated server. Need to make sure everything runs right before i go it to break something else.

I'm setting up a test environment now and will be seeing what kind of exploits I can pull. I'll let you all know if my computer lights on fire or attempts to kill me.

That's probably a pretty good guess.  The nice thing about htmlpurifier, is the whitelisting, and you can't do that with the forums.  Since Orca forums are also used in Events and Groups, that can turn into something ugly for site admins, because any abuse will be more difficult to spot.  Without whitelisting, it's pretty easy  to embed an swf that will take you to an attack site if you click on it.... which could get your site blacklisted by Google.  I hate to sound like a doomsayer, but such things may be possible.  This sort of thing is probably not much of a concern on small sites.  One thing is constant though... the bigger  a website gets, the more the spammers and hackers will want to f**k with it.

More of a reason to be wanting an Invision Power Board integration, I suppose.

 I could not get the video to post to my forums.. although it would let me preview. the submit never works.. remove code and the post "posts"

You probably have that incredibly annoying PHPIDS enabled.

I call it UAC, but I suppose it's the same thing.

yes the videos work very well

could you guys enlighten me? .. I guess I off to google what that is.

ok I went here  http://php-ids.org/ but I did not "enable" anything. is this a feature of D7?

Ok. I cannot embed videos to the forum using the code generated from the video page. Like everyine says, it's stripping tags. Everyday it's something new.

All I want to do is grab a video from my video album and use it in a forum post.

Can't be done.